9b0a71c0eb67cee8308ae604c3927a606b699d9acf7af1470b5d44282d1c9c26

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 23:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dc0313f1fc1a1139157da9ae18ea2c90N.exe
Size

86KB
MD5

dc0313f1fc1a1139157da9ae18ea2c90
SHA1

00d1cf36baef105d31613ee05e4de4326edc1b8e
SHA256

9b0a71c0eb67cee8308ae604c3927a606b699d9acf7af1470b5d44282d1c9c26
SHA512

0d1889448d8bfa5d15c25856f9041dab21b137e28306c8d5c6af9c471e5d68067f5da0ab555fbd6fe9ec90ef1f326486b455be6df204f8f2b4d5779c34c18d6a
SSDEEP

1536:W7ZppApUFpEhLfyBtPf50FWkFpPDze/qFsxEhLfyBtPf50FWkFpPDze/qFsAcEhp:6pWpUFpEhLfyBtPf50FWkFpPDze/qFsM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (4222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONGuide.onepkg.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul-oob.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.2\hostfxr.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\.version.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-pl.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationFramework.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero2.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jre-1.8\bin\pack200.exe.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp	dc0313f1fc1a1139157da9ae18ea2c90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc0313f1fc1a1139157da9ae18ea2c90N.exe

C:\Users\Admin\AppData\Local\Temp\dc0313f1fc1a1139157da9ae18ea2c90N.exe
"C:\Users\Admin\AppData\Local\Temp\dc0313f1fc1a1139157da9ae18ea2c90N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-945322488-2060912225-3527527000-1000\desktop.ini.tmp

Filesize
86KB

MD5
9fd101deaeb7f9ad69179563e05c1b8a

SHA1
42c9395ce0cb37cb89a00b2cd1a57bd450baaef4

SHA256
825dca4ffebd39190c3be7e5a10cf9e9f5d550d6d05e52391b0ffc0fef3e5ce1

SHA512
6bb82c118f35cb31b05b69aeb3327bdb80feb537fd42ce1b6809eef6f3da5667ffc4866628ed9658bc42242e4e87b63cf5de2802f5b9accf8986b24e44a43b15

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
185KB

MD5
05f675bdc7b0ecd8c6dbee7a965d9a09

SHA1
27949a3e45e395157b5a648a8d498cabcecb05d3

SHA256
62427cc3910beddd2b49c6d63e90a27b324dced6ce56f3c1e08f48e0b16d96d3

SHA512
72089ef5e846d8ff02e3ba8a74b39b731f46c30a63f4059f00958d7b9694de0c977e70aef952536e3d6af774cb750e7ba6ae48789fe7e844247e673a73c7b1ff

Download Submit